On 12 December, the Financial Conduct Authority (FCA) finally issued its official response to the public consultation on non-financial misconduct (NFM). This was issued through a Policy Statement PS25/23, finalising new binding regulatory rules and accompanying official guidance on NFM.
Ten takeaways from the Policy Statement are listed below.
The Policy Statement
79 respondents contributed to the consultation, including Squire Patton Boggs. At long last, we have the final rules and guidance, which will be binding on all FCA-regulated firms from 1 September 2026. Or so we thought.
The FCA maintains that it is not possible “to provide enough examples or case studies” to address the “wide range of scenarios” that firms may encounter, though in all honesty it does not seem to have tried that hard. The bottom line is, while this official guidance is helpful to a degree in determining how firms should assess and handle NFM, they will still be left largely to their own devices to analyse and report instances of NFM against a backdrop of ever increasing scrutiny and pressure from the FCA to stamp out poor cultural habits and behaviour in the sector.
As before, the situation remains that each case needs to be considered on a case-by-case basis. Instead of case studies and illustrative examples, the FCA has provided flowcharts and decision trees on the stated grounds that each case is unique, giving case studies could mislead firms and firms need to exercise their own judgment. Absolutely all of which could have been accommodated a great deal more helpfully with a number of appropriately caveated case studies. We do not subscribe to the view that because the FCA cannot provide case studies for every possible situation, the next most helpful thing to do is not provide any at all. “Exercising their own judgment” is all well and good, but where the consequences of getting that wrong can be material, you would have hoped that the FCA would have sought to make that judgement as informed as possible.
This Policy Statement gives approximately nine months for relevant firms to get their processes and procedures in place, and to make sure all relevant staff and managers understand the rules. It is a time of amplified scrutiny and we predict much trial and error will need to take place from when the guidance takes effect.
Given that the Employment Rights Act 2025 gained royal assent on 18 December, and phased implementation will begin in April this year, there will be some overlap with the new employment law framework, including the extension of tribunal limitation periods from three to six months and the higher obligation to prevent sexual harassment (all reasonable steps) including against third parties, from October 2026.
The FCA states that if firms’ judgements are reasonable as to whether misconduct is serious enough to amount to a breach, then that will comply with their rules. This still does not provide the clarity firms might have expected from this final publication. The hope must be that the FCA’s approach to reasonableness is akin to that of the Employment Tribunal, i.e. that there is in effect a range of reasonable responses to a particular instance of NFM, and that provided the employer stayed within that, it should not matter that the FCA might have done something different. Certainly, this was the suggestion we made in our response to the consultation.
Firms will need to ensure compliance with two frameworks at the same time: a more employee-friendly set of employment law rights and the FCA’s strengthened rules and attention to NFM. Informal warnings will not need to be reported, but any disciplinary action in response to NFM, including issuing a formal written warning, suspension or dismissal or remuneration clawback, will be reportable. But – what happens if a firm wrongly assesses an instance of NFM? The FCA can use its supervisory and enforcement powers to investigate firms, with an array of sanctions at its disposal, including a failure to report the behaviour itself. What is far less clear, but no less critical to the fair operation of these rules is how the FCA will deal with cases where, perhaps through excessive fear of these new rules, employers deem something to be sanctionable NFM and report it as such where on any reasonable or objective view, that threshold was just not met.
Employer preparation will need to include reviewing and revising disciplinary and conduct policies, as well as training managers on NFM duties. While the FCA has said it won’t retroactively apply the new duty, firms are advised to ensure their practices are compliant with the Code of Conduct (COCON) and should undertake risk assessments internally to ensure good practice in readiness and should undertake risk assessments internally to ensure good practice in readiness.
Ten Takeaways from the Policy Statement
We summarise some of the key elements of the FCA’s Policy Statement below:
The COCON rule change bringing non-banks into the scope of the COCON is unchanged and will still take effect from 1 September 2026, together with the accompanying guidance.
The FCA says: “Non‑financial misconduct’ includes a wide range of behaviour, essentially any misconduct not of a clearly financial nature. It is not possible to list all types of misconduct that might amount to a breach of COCON (or of fitness standards in FIT), as each case requires individual judgement based on its specific circumstances”.
However, NFM will include harassment of a fellow member of the workforce, aligning closely with the definition of harassment under the Equality Act 2010, although it is set much broader and is not limited to protected characteristics. This is so that “good relations” can be fostered between those who share a protected characteristic and those who do not.
Both the purpose and effect will be taken into account. The following example has been provided in respect of intent: hostile communication which is intercepted before it is delivered can still be a breach of the COCON if it is intentional.
We take this to mean that a colleague writing a hostile or intimidating email, or Teams message constitutes a breach, even if it remains unsent. It’s clear that the intent matters greatly, but this leaves open the glaring question of how this can be monitored given it will not be easy to see what individuals are writing up in their “drafts’” or otherwise.
The following conduct is in scope as a possible breach of the COCON:
a. Conduct at work locations, including at offices
b. Conduct through firm-related communications
c. Conduct at client workshops or events for the purposes of financial services, e.g. training events, award ceremonies or workshops organised by clients
d. Work-related social media activity directed at colleagues or relating to work purposes This means that conduct is in scope if the NFM relates to the performance of the individual’s role in financial services, given the above are all inherently related to performance of functions.
Importantly, the following are NOT within scope of the COCON:
a. Entirely private and personal conduct with no work connection
b. Private matters or disputes between individuals which is not related to work
This means that private life is entirely out of the scope of COCON and the FCA cannot regulate purely personal conduct, but it can however be relevant when assessing fitness and propriety for any individual. This is not new and has been the case for some time.
A breach of the COCON can occur where there is deliberate action, recklessness or turning a blind eye (“for example, being aware that something is likely but avoiding confirming it”). Carelessness will not itself be enough.
A breach of the COCON in relation to due skill, care and diligence is assessed objectively. This will mean that managers must intervene to stop bullying if they know, or should reasonably have known about it and have authority to act. Therefore, if a manager couldn’t reasonably have known or if they did not have authority to act, they will not be culpable. Managers are not defined but the FCA have clarified it is not limited to a line manager only. Small-scale fraud will also be a breach of due care, skill and diligence.
The rules also extend to managers in relation to the following:
a. Failing to operate the firm’s policies, systems and controls to detect and prevent NFM, and if they have authority, to set up and maintain such policies, systems and controls.
b. Failing to take seriously or to deal appropriately with complaints of relevant NFM
c. Failing to take reasonable steps to provide a safe environment for people to raise concerns about such treatment
Seriousness remains a key requirement. The FCA has clarified that minor incidents (e.g. thoughtless comments and isolated rudeness) will not breach the COCON.
Single incidents can constitute a breach if sufficiently serious, e.g. a single incident of violence, but as across the whole NFM piece, context is important.
Please do contact our specialists if you would like to discuss these changes or indeed require any other support in relation to financial services.
